I've been using the ThinkTecture Identity Server to experiment with federated security and claims based authentication in Windows Identity Foundation. I'm running Identity Server on a separate box, using a self-signed certificate created in IIS for SSL and encrypting tokens in Identity Server.
I'm running a local MVC application, configured to use Identity in Visual Studio 2013 by pointing the identity tool to the FederationMetadata file for Identity Server. Part of this configuration includes a <trustedIssuers> section, which includes the thumbprint of the certificate of the Identity Server.
All that is pretty straight forward, but I'm confused as to how the thumbprint is being used on the client to trust the Identity Server. Originally, I thought that somehow the thumbprint value was used directly in validating the token issued, but reading more into it I've found that the thumbprint is used to look up the actual certificate on my machine. However, to my knowledge I never had to export the Identity Server certificate and install it on my client machine, it just worked.
How is WIF using the thumbprint in this scenario, if I do not actually install the certificate myself?
By default - the public key to validate the signature is embedded in the token response - that means the RP does
Validate the signature using the embedded certificate
Create the thumbprint (hash) over the embedded certificate and make sure that matches the configured thumbprint.
This way you don't need to deploy the cert on the RP.
Related
I'm working on some WCF application. I already have client-side and server-side. Both communicates using WCF netTcpBinding or netNamedPipe. I want also a certificate only on server side, similar as it is with HTTPS. I've found very helpful guide here click.
So according to this article, I'm interested in option 1 which is
Option one provides (C + I) no authentication will happen for the client, In this case the TCP SSL (not the HTTPS SSL) will be used to provide the Confidentiality and Integrity, and the service will be configured like this below.
For now everything is clear for me, unfortunately later we can read:
also you need to install the root certificate authority certificate for the service certificate on the client machine (typically in the Local Machine/Trusted Root Certification Authorities), and the service needs to have the below behaviour to specify the certificate for the service.
So here comes my question, is there any way to avoid changes on client machine? As mentioned earlier, I'm looking for a solution similar to WEB where the user is not obligated to install any kind of certificate on his machine.
Maybe I'm missing something, but maybe this rule applies only when I'm using a self-trusted/developer certificate? What if I will get certificate from a trusted company like Verisign?
Install the certificate on the client-side simply to guarantee that the service on the server-side is trusted and that communication I secure. Just like visiting a website, we usually have a built-in certificate for the site before we browse the website, so the browser prompts the website is trusted. Unlike self-signed certificate, website certificates are issued by trusted third-party organizations to a specific host (web server), so all we need to do on the client-side is to install authoritative trusted third-party certificate before accessing the website. but we directly install the server-certificate on the client-side when we configure a self-signed certificate in the Local CA.
In fact, Browsers/OS already have some authoritative third-party certificate built-in. such as GlobalSign, VeriSign, so we just need to buy a certificate from them and configure them on the server-side, in which case, the client always trusts the server.
In addition to installing the server-side certificate, we may also need to configure the server-side identity on the client-side, which is usually the public key of the certificate, or the hostname. These configurations are generated automatically if we generate the client proxy and invoke the service by adding a service reference.
Feel free to let me know if there is anything I can help with.
You don‘t need install somethings when you use an certificate issued by an trusted CA like GoDaddy and so on.
I have an ASP.NET Core 2.2 web app running on Ubuntu. The web app is served by Kestrel configured as an Ubuntu service, running as www-data user.
The web app uses a PFX certificate for signing custom responses. So, obviously I need to give www-data full read access to the PFX certificate+key pair. This seems not safe enough.
I like how nginx is doing it (I have nginx running as a reverse proxy for the web app). Nginx reads private keys and their passwords as root user when nginx process is starting up, so it's possible to set the strictest permissions on the private key of my https cert+key pair, leaving only the public .crt part accessible to www-data, and it works just fine.
I'm wondering if there is some way to achieve similar mechanism with the ASP.NET Core app, so I don't have to give read access to the PFX private key to www-data user?
I am building application which scans azure subscription and check SSL certificate expiry date. What I am trying to do is renew SSL certificate using C#.
My question is-
How certificates are managed over azure? Are they stored in some
location? if so is it possible to access using FTP?
Is there any SDK or API for updating certificate?
You can use azure management REST APIs to add , remove, manage certificates https://msdn.microsoft.com/en-us/library/azure/ee460817.aspx
but to map it to a custom domain of a web app one has to do it in the azure portal . I don't think there is an API for that.
Normally you upload the new certificate and then bind the new certificate with the custom domain under ssl settings category and save it.
I have implemented SSL connection in my application. For this I have added IIS Express Development Certificate while hosting the site in IIS.
I could use other pages with SSL. ie., https://localhost/general
I am unable to login the application using SSL. My url changing like https://localhost/accounts/login and becomes empty page.
I am getting the below error in Firefox browser.
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.
I have tried by using Self-signed certificate also.
Is this problem arise because of IIS Express Development Certificate ??
Either you use full IIS or IIS Express, the default self-signed certificates generated are SHA-1 only, and now become obsolete.
To generate SHA-2 certificates, you can use Jexus Manager,
https://blog.lextudio.com/2016/03/jexus-manager-enhanced-self-signed-certificate-generation/
I am using SSL SHA2 in ASP.Net MVC system, but browsers see the certificate as SHA1. So, I logged in to GoDaddy to be sure for the SSL certificate type, and I read this beside the type SHA2:
Unless you have interoperability issues due to legacy code that requires you to use SHA-1, it's a best practice to use SHA-2 encryption.
FYI: I am using ASP.Net MVC4, .NET framework 4.5, C#,
and I am enforcing the use of HTTPS by attribute [RequireHttps].
I just set up the SSL certificate for my web host. Both are from the same GoDaddy server and specify the domain and write the attribute.
Should I do anything else in my code? Is this related to the CSR?
Please help. Thanks.